Tags

ESET uncovers another porn clicker on Google Play

Recently, Avast researchers discovered the Trojan porn clicker uploaded to Google Play Store and posing as “Dubsmash 2”. This clicker pretended to be an official application, and was downloaded more than 100,000 times. While the click fraud activity did not cause direct harm to the victims such as stealing credentials, it does generate a lot of internet traffic and may cause high data charges for victims that have a restricted data plan, leaving them with high cellphone bills at the end of the month.

Less than a month later, ESET researchers discovered that a plethora of variants of this same fake Dubsmash application found their way on to the official Google Play, showing the very same icons and preview pictures.

While this threat is entirely different from the one we documented last week, both cases are similar in the sense that they managed to get into the Google Play Store when they should have been rejected.

Figure 1 Fake Dubsmash 2 from Google Play – available between May 20 and May 22

The latest Dubsmash 2 Trojan was uploaded to Play Store on May 20, 2015 and pulled on May 22, 2015. In the two days during that it was available for download, it was downloaded more than 5,000 times. The malware once again used a clicker technique identical to that used in its earlier version.

The author of the malware didn’t wait too long before uploading another version of the porn clicker to Google Play on May 23, 2015, passed off as Dubsmash v2. After three days the application had been downloaded more than ten of thousands of times. On May 25, 2015 and on May 26 2015 Dubsmash 2 was uploaded to the Play Store for the fourth and fifth time with the same malicious code implemented. It’s very rare for malware to be uploaded to official Play Store with the same functionality so many times over such a short period.

Figure 2 Fake Dubsmash v2 – May 23

Figure 3 Fake Dubsmash 2 – May 25

Figure 4 Fake Dubsmash 2 – May 26

ESET security software detects this threat as Android/ClickerTrojan. The fake applications were quickly removed from Play Store after we notified Google.

Figure 5 Android/Clicker Trojan removed from Google Play

After further research we discovered that these four applications were not the only Dubsmash 2 applications uploaded to the Google Play Store. We found another four applications that were removed from the Play Store in the past. ESET identified nine Trojan Clicker applications altogether that were made available for download, disguised as fake Dubsmash 2 applications.

Figure 6 Other Dubsmash 2 variants

Analysis

After installation, the user will not find any new Dubsmash icon on the device. The newly installed app’s icon or name has nothing in common with the real Dubsmash application. Mostly it pretends to be a simple arcade game or system application. After startup, the application hide its launching icon, but it is still constantly running in the background, accessing porn pages to generate revenue via click fraud.

Figure 7 Dubsmash 2 icons

Malicious activity is triggered when the device changes its connection. It’s not difficult to get the server URL address, as the app developer did not encrypt URLs this time. The server URL can be found in the code in plaintext. But there is one interesting change from the last version. Malicious code will not be executed if anti-virus software is installed on the device. The Trojan checks installed applications, based on package names, against the names of 16 anti-virus vendors. Package names are dynamically requested from server over HTTP. Package names can be easily updated to add other anti-malware applications. When the Trojan is installed it may not yet be detected by all AV solutions, but in many cases AV vendors can block URLs on request if they are found to be malicious. In one case the Trojan uses the server to communicate with as in its earlier version. It’s very suspicious when the user is warned that his device is trying to request data from a server that has already been blocked. At this point, the user may be alarmed to find that something suspicious is going on.